Sage Advice - Cybersecurity Blog

How to Defend Your Organization Against Social Engineering Attacks

Social engineers are very adept at tricking people to get what they want. Whether trying to acquire sensitive information or gain access to a restricted area, they prey on our basic human nature by building trust and confidence. Because of this, social engineering poses a significant security risk to your organization, and should be part of your overall risk-management strategy.

When it comes to mitigating social engineering risks, the best defense is for your organization to create a culture of cybersecurity. This means creating a strategy that executive management is committed to, developing a work-force that is aware of cybersecurity risks and how to mitigate them, and instituting policies and procedures that everyone in the organization, your vendors, and your partners follow consistently.

Security Procedures to Stop a Social Engineer

Procedures are a sure-fire way to thwart a social engineering attack because employees don’t have to rely on their own judgment to decide what to do. They remove three common motivators that typically allow social engineering attacks to succeed: our desire to be helpful; our tendency to trust people we don’t know; and our fear of getting into trouble.

For on-site security, some easy procedures to incorporate include:

Create a calendar of expected vendors. Require that all service engagements and vendors be scheduled on a centralized calendar. If a vendor shows up and is not on the calendar, standard policy should be for them to reschedule.

Create a procedure to verify identity. You can create a standard vendor release form that states the nature of their business, or perhaps require that the internal contact person be available to verify their identity.

Assign a gatekeeper. If the gatekeeper, such as a security officer or manager, does not notify the front desk authorizing entrance, then they won’t be let in.

Require an escort. When a vendor will be on-site, have someone available to escort that person to the appropriate location and monitor them as they work.

Use visitor badges. Require that all visitors check in upon arrival, and then issue them a visitor’s badge. Badges can also be color coded for the type of access they are allowed.

Security procedures over the phone include:

Institute a call-back practice. If an employee receives an unexpected call where the person is requesting sensitive or protected information, the standard procedure should be to have them call them back. They simply ask for their phone number and verify that it’s legitimate before calling back. If it’s fraudulent, the caller isn’t likely to provide a call-back number.

Create a verification procedure. The process should be more than a couple of questions and provide multiple check points. While this may be frustrating to some customers, it’s actually an opportunity for you to educate them about cybersecurity and explain the importance of keeping their personal information safe.

Online Situational Awareness

Procedures are only the first step. If they aren’t followed consistently, then you’re still vulnerable. That’s where security and situational awareness come in to play.

Using the internet is part of our day-to-day reality, and it’s easy not to think about the risks involved. In our current threat environment though, every individual within your organization must start recognizing these risks and building habits to mitigate them, especially if you are entrusted with protecting client information.

Cybersecurity awareness training teaches your employees about the fundamentals of cybersecurity and the importance of data security, plus it can help them recognize and respond appropriately to social-engineering attempts. There are simple tricks that will make your employees cyber champions!

Ultimately, it’s easy to put procedures in place that can defeat social engineers. However getting your whole organization to think the same way, act the same way, and understand the same things is a very difficult thing to do. Building a culture of cybersecurity can make you stronger. When good policies and a cyber aware workforce come together, your organization can be nearly impenetrable by a social engineer.

Request More Information

Subscribe to Email Updates

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.